ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
New ClamAV database number 19330 adds even more new Potentially Unwanted Applications to their signatures.

Added: PUA.Macro.DoubleExtension-zippwd-2
Added: PUA.Misc.DoubleExtension-zippwd-4
Added: PUA.Macro.DoubleExtension-rarpwd-2
Added: PUA.Misc.DoubleExtension-rarpwd-2
Added: PUA.Windows.DoubleExtension-zippwd-3
Added: PUA.Windows.DoubleExtension-rarpwd-3


Last edited by ROCKNROLLKID on Mon Sep 08, 2014 6:13 pm; edited 2 times in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
The PUA sigs about a year or so ago hit a lot of packers and were really a nuisance, so we took PUAs out of Clam Sentinel detections. One person's PUA is another person's acceptable program. I think AVs should just confine themselves to real malware, and many of them seem to be doing that. Some users will even accept adware as okay if they get something in return. Lots of legitimate software now snoops on users, geolocates, etc.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
New types of signatures added in ClamAV database 19346.

Added: Rar.Suspect.MacroDoubleExtension-rarpwd-2
Added: Rar.Suspect.MiscDoubleExtension-rarpwd-2
Added: Zip.Suspect.WinDoubleExtension-zippwd
Added: Rar.Suspect.WinDoubleExtension-rarpwd-2
Added: Zip.Suspect.MacroDoubleExtension-zippwd-3
Added: Zip.Suspect.MiscDoubleExtension-zippwd-3

Some type of rar and zip infections?


Last edited by ROCKNROLLKID on Mon Sep 08, 2014 9:05 pm; edited 1 time in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
Looks to me like signatures for double extensions in various situations--instead of a comprehensive heuristic--like that used by Clan Sentinel.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
More double zip/rar entenstion signatures have been added to database version 19372.

Added: Rar.Suspect.MacroDoubleExtension-rarpwd-3
Added: Rar.Suspect.MiscDoubleExtension-rarpwd-3
Added: Zip.Suspect.WinDoubleExtension-zippwd-1
Added: Rar.Suspect.WinDoubleExtension-rarpwd-3
Added: Zip.Suspect.MiscDoubleExtension-zippwd-4
Added: Zip.Suspect.MacroDoubleExtension-zippwd-4
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
Yes - they are all PUAs, which might not really be malware. For some reason, Virus Total is treating Clam PUAs the same way it does the Symantec "suspicious" designation. Many AVs have gotten away from PUP/PUA--a file is either "good" or "bad."
Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
More double extension added to database number 19417 and 19422

Database 19417:

Added: Zip.Suspect.FileName-zippwd-2
Added: Rar.Suspect.FileName-rarpwd-2
Added: Zip.Suspect.ExecutableAirfare-zippwd-1
Added: Rar.Suspect.ExecutableAirfare-rarpwd-1
Added: Rar.Suspect.ExecutableCopy-rarpwd
Added: Zip.Suspect.ExecutableCopy-zippwd
Added: Zip.Suspect.ExecutableProduct-zippwd
Added: Rar.Suspect.ExecutableProduct-rarpwd
Added: Rar.Suspect.ExecutablePurchaseOrder-rarpwd-2
Added: Zip.Suspect.ExecutablePhoto-zippwd-2
Added: Zip.Suspect.ExecutablePurchaseOrder-zippwd-3
Added: Rar.Suspect.ExecutablePurchaseOrder-rarpwd-3
Added: Rar.Suspect.ExecutablePhoto-rarpwd-2

Database 19422:

Added: Rar.Suspect.MiscDoubleExtension-rarpwd-5
Added: Zip.Suspect.MacroDoubleExtension-zippwd-5
Added: Zip.Suspect.WinDoubleExtension-zippwd-2
Added: Rar.Suspect.MacroDoubleExtension-rarpwd-4


Last edited by ROCKNROLLKID on Tue Sep 23, 2014 3:20 pm; edited 1 time in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
They are all detections for malware inside zipped files, and it appears to me that each detection is rather narrow. They will probably not detect much after the individual files are changed, and you can be sure that they will be changed very shortly! There are other archive programs besides rar/zip, and other executable formats besides .exe/photos, and filenames can be changed.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
July 8th is apparently when .98.5 beta version came out. It is now September 25th and it is still in beta. Anyone know why it is taking longer then other versions? It has been over 2 months now.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
I think it's the same old story, RRK. Clam AV is free and open source--Cisco can't make much money from that. They continue to concentrate (understandably, I guess) upon the commercial side, and Clam AV (ultimately ClamWin as well) gets a few crumbs now and then. Personnel, time, and equipment mainly support commercial.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
It isn't like the ClamAV to hold a version for over a month like this. At first, I thought maybe they hold the version back because of the new website, but now I am thinking, maybe something big is coming, something unexpected from ClamAV. Then again, you could also be right, GuitarBob. Hopefully, ClamAV won't let us down.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
I think the biggest thing they could do is make user submissions more important than Virus Total submission!. Part of the time I was sigmaking at Clam they used Kaspersky, Bit Defender, and Dr. Web to scan submissions as an aid to sigmakers, but they quit that. It was too expensive, I guess, but if two of those three AVs say something is infected, it probably is, and they could have gone ahead and gotten an automated sig for it a long time ago--before a lot of other AVs were using automated sigs.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
One thing I noticed with ClamAV database, they seem to get a lot of the same samples. The signature makers should really communicate with each other and search different parts of the web to help reduce this. Might also improve detection ratios slightly doing it this way, too. This is how I did it with my old malware hunter team at Malwarebytes.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
Probably 90% of the Clam AV samples come from Virus Total. The rest comes from user submissions and other security industry sources. The only ones that are regularly worked (by automation) are the samples from Virus Total. They do a very poor job of working user submissions because they are not automated.

Telemetry is everything to an AV company. You need to at least cover your user submissions. Clam AV doesn't do a good job at that The bulk of the Virus Total samples come from somewhere else.

Malwarebytes is doing a good job of covering the viruses I check, but they don't have a good easy way for users to submit samples, so I don't know how well they are serving their actual users. Perhaps they are still concentrating upon the high-profile, advanced persistent threat stuff. I wonder how many of those their users will encounter. I once had an MBR virus I was working on get away from me, and the Pro edition of Malwarebytes did not catch it.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Even if that is the case, they should still communicate with each other to prevent this duplication. We should also remember ClamAV is a Linux anti-virus and that was meant to stop the spread of virus from Linux systems to Windows systems. In that case, VT signatures are good enough if that was the intention. I think that's what they also think, too.

Still no luck with pidgin, at all? Do you need help setting it up?
View user's profileSend private message
Updates on ClamAV are posted here
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 9  

  
  
 Reply to topic